Hello world, North Korea has a new ransomware operation, and it's raising money to help

"close the gap between the rich and poor" by "help[ing] the poor and starving people".

The ransomware victims get something out of it too, sure you'll have to shell out a few

bitcoin for your files to be decrypted, but you get the added benefit of "increasing your

security awareness".

I'm not making this up... this is "HolyGhost's" dark web site, they're a ransomware group,

recently attributed to North Korea by Microsoft's "threat intelligence center".

I can't imagine what was running through the mind of whoever typed up "HolyGhost's" homepage,

how they managed to convince themselves that this low effort Robin Hood larp was anything

other than embarrassing, and obviously not convincing anyone.

The last line in particular cracks me up, that they're doing this "To increase your

security awareness" - that's like a murderer killing someone and then justifying it by

saying they only wanted to raise awareness of the threat murderers pose.

It's so silly, that surely this is just some parody and can't actually be the work of the

same North Koreans that successfully pull of crypto heists worth hundreds of millions

of dollars.

Well, according to Microsoft, there are some key indicators that "H0lyGh0st" otherwise

known as "DEV-0530" is run by North Korean government hackers, because they "[have] connections

with another North Korean-based group, tracked as PLUTONIUM", these connections include operating

from the same infrastructure as well as "using tools created exclusively by PLUTONIUM" which

aren't publicly available.

Also, in order determine HolyGhost's geographical location Microsoft analysed the time of day

that the group is generally active, or as they put it a "temporal analysis", Microsoft

found that HolyGhost's activity is consistent with North Korea's timezone.

If this is the work of North Korean state backed hackers, it wouldn't be their first

ransomware operation - however there is a more interesting theory... that this isn't

supported by the North Korean government per se.

But rather a kind of side hustle for North Korean government hackers, a personal project,

for their own financial gain.

The reasoning for this is, "the attackers frequently asked victims for anywhere from

1.2 to 5 Bitcoins."

but they were willing to negotiate and "in some cases, lowered the price to less than

one-third of the initial asking price."

- now this amount of money is nothing compared to North Korea's government operations which

can net hundreds of millions of dollars.

Also, "HolyGhost" targets small to medium sized businesses, whereas North Korea's government

backed hacks typically go after a much broader set of victims.

All this points to an operation run by people with access to the same tools, but not with

the same time, effort and resources as those government sponsored attacks.

Also, if you're wondering why I'm having to use the low resolution screenshots from Microsoft's

report, that's because the group's onion site has vanished in the last few days, interesting

timing given that coincided with Microsoft publishing their report - it could of course

just be a coincidence, but if this operation was the side hustle of North Korean hackers,

the report might have spooked them into abandoning ship before their superiors found out.

Next up, it's not often that being a victim of a hack actually makes you money.

But this is one of those strange rare occasions... in which a Dutch university managed to make

€300 thousand Euros from being a victim of a ransomware attack.

So in 2019, a ransomware gang gave Maastricht university in the Netherlands an early Christmas

present when on the 23rd of December hundreds of the university's computers were infected

with Clop Ransomware, not only that but many of the university's backups were also affected

- because... they weren't properly segregated the university's network.

As usual the source of the attack was a phishing email opened by an unwitting employee.

Being a victim of a ransomware attack is a headache at the best of times, but it was

made even worse due to the university's research being encrypted as well as impending exams.

So, about a week after the ransomware struck, the decision was made to pay the ransom, of

30 bitcoin, which at the time was roughly equivalent to €200 thousand euros.

And that was where the story ended - until earlier this month when there was a "remarkable

development" - turns out that Dutch authorities managed to trace the payment to hackers in

Ukraine - which shouldn't come as much of a surprise given that cyber criminals tend

to base themselves in ex soviet countries as the law enforcement in those countries

generally don't cooperate with Western intelligence.

Ukraine though, is obviously, one big exception.

And so, with the help of Ukrainians authorities, the cyber criminals were identified as belonging

to the gang "SectorJ04" - which eventually led to the entire trove of 30 bitcoins being

retrieved.

And this is where the money making comes in - the university bought the bitcoin in early

2020, for roughly 10k USD per coin, since then the price has a little bit more than

doubled, leaving them €300 thousand euros in profit.

Sadly though, they missed bitcoin's all time high, if the coins were retrieved just a few

months earlier they would be worth well over a million euros.

Since the recovery, the university has said they'll use the gains to help students in

need - so I guess this is a bit of a happy ending.

Though it's not a complete W, as the recovered funds are no where near enough to cover the

cost of the damages the university incurred during the actual hack - this will have included

staff working overtime, and flying in recovery specialists to work on site to help resolve

the issue.

In fact, according to Sophos, whilst the average ransom demanded from companies is $170 thousand

dollars, extra costs due to downtime averages at $1.85 million dollars - so in reality the

ransom payment itself is almost insignificant when compared to just how much disruption

ransomware attacks generally cause.

Next up, an ex-CIA employee has been convicted of leaking top secret documents to wikileaks,

these eventually became known as the vault 7 leaks.

It's been a while since the vault 7 leaks were published, roughly 5 years - it's easy

to forget just how enormous a news story this was at the time.

It was arguably the biggest leak in CIA history, with wikileaks claiming it exposed "the entire

hacking capacity of the CIA".

To give you a quick reminder, vault 7 uncovered how the "CIA 'hoarded' [zero day vulnerabilities],

some of these affecting IOS and Android" - the leaks also described "techniques [permitting]

the CIA to bypass the encryption of WhatsApp, Signal, [and] Telegram".

Vault 7 also brought to light some of the CIA's creepier projects, including an attack

called "weeping angel", it was developed in collaboration with UK intelligence and targeted

Samsung smart TVs, the attack "places the target TV in a 'Fake-Off' mode, so that the

owner falsely believes the TV is off when it is on.

In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending

them over the Internet to a covert CIA server."

But this is just a taster of what vault 7 included, in total, hundreds of millions of

lines of code were exposed, it was really quite extraordinary.

However, eventually an ex CIA employee "Joshua Schulte" became suspected of being the source

of the leak.

And this is where things take a darker turn from just espionage, so after the FBI accessed

his computer and it's encrypted contents, which was made pretty easy as Shulte was fond

of reusing passwords - they apparently found "over 10,000 images and videos of [cp]", - so,

if you were wondering why you haven't heard this guy being revered by pro privacy people,

as someone like Edward Snowden might be, you now know why.

The charges for the images found on his computer are still pending, but when it comes to the

Vault 7 leaks, just a couple days ago "Schulte was found guilty of nine charges" and is facing

more than 80 years in prison.

And if you're confused why it's taken more than 5 years to come to a conclusion on this,

the latest trial is actually a retrial.

The first trial ended in 2020 with a hung jury.

This video was made possible by Linode, who are giving you a $100 60-day credit just for

signing up.

Linode is essentially your swiss army knife for cloud computing, if it runs on linux it'll

run on Linode.

One great feature of Linode is their app marketplace which makes it super easy to spin up servers

with preconfigured software.

For example, use Linode's pi-hole app to set up a DNS sinkhole, that you can use to block

ads across all your devices - and yes I recognise the irony in promoting ad blocking within

an ad!

Linode can run almost anything, by providing all the tools a developer really needs at

competitive prices.

Use the link in the description now to claim your free $100.

As always sources can be found in the video description, stay tuned for more hacking videos

and have a good one.